J2EE Security

Similar Messages

• Custom Policy vs. J2EE Security

  Hi there, Java Security architecture gurus,
  I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().
  The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.
  I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.
  I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.
  Thanks,
  Christoph

  Chris,
  There is a very good article from IBM that implements the same thing you are trying to implement i.e. instance base security and also custom Policy(u may need this).
  http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
  Now, I have the following questions:
  - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
  Custom policy is required primarily if you are going away from the default policy format that sun recommends. If you want to read your permissions from a database you may need to implement a custom Policy class.
  - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.
  This is recommended by Sun. You may have to delegate the Permission checks that you know you cannot handle to default policy class.
  In your CustomPolicy.java getPermissions() method, the following code will code to the end of the function
  // If the permission is not found here then delegate it
  // to the standard java Policy class instance.
  java.security.Policy policy = java.security.Policy.getPolicy();
  return policy.getPermissions(codeSource);
  Hope this helps.

• How to find solution for avoiding WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product

  HI All,
  We are using Oc4j version 10g 10.1.3 , and while starting conatiner  getting below warning , let me know if anyone have solution for this,.
  14/01/10 01:01:29 ********** user-manager (see application/server descriptors) will no longer be supported in the next release of this product!
  Please take the appropriate actions to migrate to an alternative strategy! **********
  2014-01-10 01:01:29.833 WARNING J2EE SECUR-00100 ********** user-manager (see application/server descriptors) will no longer be supported in the next release
  of this product!

  I just checked my BIOS and my current setting is set at IDE although it also mentions that the default should be AHCI. Currently I have a dual boot of Windows 7 (need it for Tax software) and Arch
  So I guess, when I get the new HDD, I will first set it to AHCI and then install the OSes on it. See if NCQ helps any, and if not I will turn it back and re-install (if I have to). I am planning to have Windows only in virtualbox in the new drive.
  Anyhoo, while I was in the BIOS I found two things which I had questions about :
  1) Under Onboard Devices --> Integrated NIC , my setting is currently set at "On w/PXE" and it says the default should be just "On". Would it be ok to change it back to On since its a single machine and its not booting an OS on any server. I just don't want to have to re-install anything now since I will be doing that in the new HDD.
  2) How would I know whether my BIOS would support a 64 bit OS in Virtualbox? I checked some setting under Virtualization, but they weren't very clear.
  I will edit this post and let you know exactly what settings were present under the Virtualization sub-section.

• SOAP and J2EE security

  We have deployed several SOAP services (Apache SOAP) on a WLS6.1
  server. Since there are more and more services are being deployed
  people are getting worried about security. I was wondering what the
  best solution was to to authentication and authorization on EJB and
  method level for SOAP clients ? I was thinking about the following
  solution: use the standard J2EE security by defining security
  constrainst in the ejb-jar.xml file. Therefor every client needs to
  provide credentials to use the EJB's (this should work for both
  RMI/IIOP and SOAP clients).
  What are your ideas and opinions about this solution ?
  If you post a reply please CC to [email protected]

  Hi,
  Let me know if you find answer of your question.
  thanks

• Struts/servlet page flow problem due to j2ee security

  Whe I type url such as http://localhost:7777/myapp/action.do, I want to see the execution result page from this action. However the result page will always be index.jsp because j2ee security which I have a loginaction.do and its result page is index.jsp. How can I have overcome this problem.
  Thanks,

  To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
  cheers.

• Using dynamic groups for j2ee security

  Hi all,
  I have my realm setup in server.xml and my standard and sun-specific deployment descriptors setup for j2ee security.
  Everything seems to work fine for groups defined via uniquemember attributes (all users are specified), but I'm having trouble with dynamic groups (defined with the memberurl attribute)
  How do I configure my realm in my server.xml to get this working?

  Hi,
  I got an official answer from SUN.
  "Dynamic Groups" are not (longer) supported with SJS AS 7!
  It will probably be supported with SJS AS 8 SE.
  If you have a iPlanet 6.5 application that is running with dynamic groups, just wait a little bit before you migrate.

• J2ee Security methods in JSF

  Is it possible to bind to J2ee Security methods in JSF pages, like request.getUserPrincipal() or request.isUserInRole("rolename)?

  Hi,
  actually you can use EL if you create a method in a managed bean to check for a specific role membership. Reference the method - which returns true or false - from EL. Note that EL cannot have arguments and for this reason you cannot directly pass in role names as argumens
  Frank

• JAAS or regular J2EE Security?

  Hi, can some offer me some examples of why I should prefer JAAS (and vice versa) over J2EE security via constraints and roles in web.xml? I'm just not sure which to use...
  Thanks...

  hi,
  you should have a look towards jGuard to use JAAS in j2ee in an easy way:
  homepage:
  http://jguard.sourceforge.net/
  sourceforge page:
  http://sourceforge.net/projects/jguard
  it hides the JAAS complexity , and enable dynamic configuration, and great flexibility!
  sincerly yours,
  Charles(jguard team).

• J2ee security and page flow problem

  To give more details about the problem I have, user likes to put a URL in the browser, then press enter. User likes to see the running results. However, user is not able to see the results because j2ee security requires user log in. After sucessful login, user is going to see the index page. My question is how user be able to view his result page after login.
  cheers.

  In the future, please post JSP/Servlet questions in the appropriate forum: http://forum.java.sun.com/category.jspa?categoryID=20
  This is pretty simple to do:
  1) set up a Filter that applies to a specific url pattern, such as " /protected/* " so that the Filter is invoked when resources within the "protected/" path get accessed
  2) in the Filter code, store the user's desired path in the session scope (let's call it "loginRedirectFrom") and redirect the user to the login screen.
  3) in your login servlet/jsp, after the user has been verified, redirect to the url you stored in "loginRedirectForm".

• OID Dynamic Groups and J2EE security roles

  Hi
  I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
  Thanks
  Adam

  Hi,
  Let me know if you find answer of your question.
  thanks

• Authorization check for caller assignment to J2EE security role

  Dears experts, in the default.trc logs in, my Enterprise Portal NW2004s, appear this error:
  #1.#0018714E4A14005E000027E1000057B8000441BB7EF2FC03#1198173451524#com.sap.engine.services.security.roles.SecurityRoleReference#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleReference#Guest#2126####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ : ] referencing J2EE security role [ : ].#5#ACCESS.ERROR#service.jms.default.authorization#administrators#SAP-J2EE-Engine#administrators#
  #1.#0018714E4A14005E000027E5000057B8000441BB7F8BDC21#1198173461543#com.sap.engine.services.security.roles.SecurityRoleImpl#sap.com/irj#com.sap.engine.services.security.roles.SecurityRoleImpl#Guest#2127####46ce8210aefd11dcc68f0018714e4a14#Thread[Thread-59,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Error#1#/System/Security/Audit/J2EE#Java###: Authorization check for caller assignment to J2EE security role [ :
  Any idea about it?
  Thanks friends

  Hi Holger,
  Thanks for the tip, it could be the case, I just checked and we are on Patch 0 for JEECOR as you can see here below:
  sap.com/SAP-JEECOR   7.00 SP13 (1000.7.00.13.0.20070907082334)  20071028144036 
  sap.com/SAP-JEE          7.00 SP13 (1000.7.00.13.2.20071026143730)  20071203150628 
  Will inform some people internally to patch to atleast 3 to check if it still occures.
  Anyway, Thanks again..
  Benjamin Houttuin

• Error :Authorization check for caller assignment to J2EE security role whil

  Hi Experts,
               i m working as a portal resource .
  after the deployment of standered Sap e-rec package .
  i m getting some error. i have assigned the recruiter role to one test user.
  Now i m getting two issue:
  1)All the services are appearing in Detailed Navigation Pannel but not in Portal content area..
  2) I m able to see few iview for the test user but those are also in detailed navigation view.
     And few ivews are giving following error :
    i)Internal error
  ii)error 2011-12-19 07:59:57:315 ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  /System/Security/Audit/J2EE com.sap.engine.services.security.roles.audit n/a EP-DEV-KRT Server 0 0_97989
  Full Message Text
  ACCESS.ERROR: Authorization check for caller assignment to J2EE security role [sap.com/com.sap.lcr*sld : LcrInstanceWriterNR] referencing J2EE security role [SAP-J2EE-Engine : administrators].
  please suggest what can be  done or what is pending from my side.

  Prajakta2602 wrote:
  Hi Experts,
  >
  > the previous issue got solved..
  > it was due to servies pack miss match and applying notes
  > the Basis guy  checked the SLD logs and accordingly found that the base components J2EECORE and JTECHS required paching as per
  > notes 1445294 and 1175239 were applied.
  > now the issue is:
  >
  >
  >  After implemetation and  i assigning the standerd sap roles
  > 1)Recruiter Administrator
  > 2)Recruiter
  > to the test user .
  > but for few iview it is showing error as in
  > 1) you are not a authorized user
  > 2) internal error
  >
  > please help experts.
  >
  >  i m working on portal side have i to assign any role to that test user..
  >
  >
  > Thnaks & Regards,
  > Prajakta
  You can run a quick check using the below steps:
  1. Check in backend whether there is any authorisation errors... you may use transactions SU53 or ST22 for any ABAP errors
  2. Also check in NWA -> log viewer -> last 24 hours log for the particular user to see any java related issues.
  Regards,
  Mahesh

• J2EE Security Provider Service in NWA on 7.10?

  Hi,
  In versions up to 7.0, there was a J2EE Security Provider Service which could be configured in Visual Administrator to control fine-grained security between deployed components on the system. I cannot find anything similar in NetWeaver Administrator in 7.1. Has this become obsolete or am I overlooking something?
  Thanks,
  Thorsten

  Hi,
  NWA -> Configuration Management -> security -> authentication
  here you can find the required policy configurations
  regards,
  Jozsef

• J2EE security, OID and account lockout

  Hi!
  I have created a Webcenter application (in Jdev 10.1.3). I have added standard J2EE security to both the portlets and the Webcenter app, using form-based authentication. On the application server, I use the OID for authentication (without SSO).
  Now, when a user logs in, all works fine, but after a short period (maybe session timeout?) the OID account becomes locked.
  Has anyone seen this before? It is really troublesome.
  Jeroen van Veldhuizen

  Jeroen,
  you should try checking the OID logs at the time of the lockouts, it seems to me it is probably an OID setting or issue.
  Cheers,
  Mick.

• Can we pass J2EE security context to a xdp form?

  I am doing a J2ee application developement that a user will logon to the application and open the form,fill it and press submit button to call a web service. The form submit button is pointing to a web service that needs security authentication such as:
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken>
    <wsse:Username>user</wsse:Username>
    <wsse:Password>password</wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
  I am wondering how to pass the security header info to the SOAP header so user doesn't have to type user name and password again when hiting submit button since he already logon to the apllication. Can and how the LiveCycle Forms server take the header info from Java API call and fill the submit button SOAP security header?  I got stucked here and I would really appreciate if someone can guide me on this.  Thanks.
  Jinyu

  Is my question in a wrong topic? I want to know how your guys handle the forms web service call with wsse:UsernameToken authentication enabled. Can forms API be used to pass the security header info? Thanks.